使用 Windows Identity Foundation 为 SharePoint 2010 创建自定义活动 STS
谁能告诉我是否可以为 sharepoint 2010 创建自定义主动安全 tokenbn 服务。我基本上希望创建一个自定义 sts,这样我就不必离开 sharepoint 站点本身来登录。
我已经看到了创建的示例自定义被动 sts,但看不到自定义被动 sts 的任何内容。
我对 WIF 还很陌生,所以任何指示或帮助将不胜感激。
编辑(2011 年 11 月 22 日):好吧,也许我对这一切的看法都是错误的。第一个问题是我有 Web 服务和网站,需要具有声明意识,并将每个请求解析为相同的身份(在这种情况下,我不能对服务使用被动 sts)。第二个问题是我希望能够将登录设施集成到我网站的主页上 - 我的理解是这不能通过被动 sts 来实现。
编辑(2011 年 11 月 28 日):因此,根据下面的建议,我实施了 thinktecture 身份服务器。我可以很容易地在被动场景中使用它,但仍然无法使其与 ws-trust 端点(主动场景)一起使用。我一直在尝试使用 WSTrustChannelFactory 和 UserNameWSTrustBinding 创建自定义登录 Web 部件,但每当我调用 ValidateToken 时,都会收到一条错误消息,指出“令牌的颁发者不是受信任的颁发者”。信任应该已经建立,因为我可以使用被动登录机制登录。
马特
Can anyone tell me whether I can create a custom active security tokebn service for sharepoint 2010. I'm basically looking to create a custom sts whereby I dont have to leave the sharepoint site itself in order to log in.
I have seen examples of creating a custom passive sts, but cant see anything for a custom passive sts.
I'm pretty new to WIF, so any pointers or help would be really appreciated.
EDIT (22 Nov 2011): Ok, maybe I'm looking at this all wrong. The first problem is that I have web services and a web site(s) that will need to be claims aware, and resolve requests to each as the same identity (In this case I cannot use a passive sts for the services). The second problem is that I want to be able to integrate the logon facility onto the homepage of my web site - my understanding is that this cant be achieved with a passive sts.
EDIT (28 Nov 2011): So on the recomendations below I have implmented thinktecture identity server. I've got this to work in the passive scenario quite easily, but am still unable to get this to work with the ws-trust endpoint (active scenario). I've been trying to create a custom login webpart using WSTrustChannelFactory and UserNameWSTrustBinding, but whenever I call ValidateToken I get an error stating "The issuer of the token is not a trusted issuer". Trust should be already established, as I can login using the passive logon mechanism.
Matt
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
查看身份服务器。这是一种主动和被动的自定义安全令牌服务。
Have a look at Identity Server. It's an active and passive custom security token service.
在花费了大量时间之后,我找到了问题的根源(我认为)。我试图创建一个可以部署在我的应用程序主页上的自定义登录 Web 部件。事实证明,在 ValidateToken 实现中的某个地方调用了 SPPassiveIssuerName.GetIssuerName。在此方法中,根据调用 TrustedProviderSignInPage.IsTrustedPageRequest 的结果做出决定(如果 hhtpcontext 请求针对 http://xxxx/_trust/ 虚拟目录)。
如果 TrustedProviderSignInPage.IsTrustedPageRequest 返回 true,SharePoint 会在 TrustedLoginIssuerNameRegistry 中查找,这很好,因为我的证书已注册为受信任。但是,如果它返回 false,则 SharePoint 仅检查 LocalLoginIssuerNameResgistry - 基本上是硬编码为仅返回内置登录颁发者。由于我的主页不在 /_trust/ 目录中,因此这永远不会起作用 - 这非常烦人!
总之,您可能只能在 SharePoint 中执行此操作,您计划将登录控件放置在 /_trust/ 目录中的页面上。
重要编辑 (01/12/2011): 因此,昨天彻底泄气后,我有了用标准 ConfigurationBasedIssuerNameRegistry 替换 SharePoint 内置发行者名称注册表 (SPPassiveIssuerNameRegistry) 的想法,并添加我的 IP- STS 作为值得信赖的发行人。这让我更进一步,但在调用 SetPrincipalAndWriteSessionToken 时我仍然收到错误,即在颁发者名称注册表中找不到颁发者。我花了几个小时都无法解决这个问题,但最终我决定实施一个自定义发行者名称注册表。经过一些调试后,事实证明,在声明创建过程中的某个时刻,SharePoint 会尝试验证其内置安全令牌服务(即使我没有使用它)。因此,我将 bag 恢复到基于配置的颁发者名称注册表,并在 SharePoint 中添加为受信任的颁发者(以及我自己的) - 这一切似乎都有效 - 哇!我将在某个时候发布完整的解决方案并在此处发布链接。希望它能坚持下去!!
马特
马特
After spending a significant amount of time on this I got to the root of my problem (I think). I was trying to create a custom logon webpart that could be deployed on the homepage of my application. It turns out that somewhere in the ValidateToken implementation there is a call to SPPassiveIssuerName.GetIssuerName. Within this method there is a decision made based on the result of a call to TrustedProviderSignInPage.IsTrustedPageRequest (this method returns true if the hhtpcontext request is for something within the http://xxxx/_trust/ virtual directory).
If TrustedProviderSignInPage.IsTrustedPageRequest returns true, SharePoint looks in the TrustedLoginIssuerNameRegistry which is fine as my certificate is registered as trusted. However, if it returns false SharePoint only checks the LocalLoginIssuerNameResgistry - which is basically hard coded to only return the built-in login issuer. As my homepage doesnt reside in the /_trust/ directory this is never going to work - which is incredibly annoying!
So in summary - you can probably only do this in SharePoint the page you're planning to put your login control on is in the /_trust/ directory.
IMPORTANT EDIT (01/12/2011): So after being thoroughly deflated yesterday, I had the idea of replacing the SharePoint built in issuer name registry (SPPassiveIssuerNameRegistry) with the standard ConfigurationBasedIssuerNameRegistry and adding in my IP-STS as a trusted issuer. This got me a little further along the line, but I was still getting an error when calling SetPrincipalAndWriteSessionToken, that the issuer could not be found in the issuer name registry. I couldn't work this out for hours, but in the end I decided ti implement a custom issuer name registry. After some debugging, it turns out that at some point during the claims creation process, SharePoint attempts to validate its built-in security token service (even though I'm not using it). So I reverted bag to the configuration based issuer name registry, and added in the SharePoint one as a trusted issuer (as well as my own) - and it all seems to work - woop! I'll blog the full solution at some point and post back here with a link. Lets hope it sticks!!
Matt
Matt